Could you please point stupid me to the right piece of documentation?
I've build Kerberos realm, where KDC is MS AD, servers are OpenSSH and
OpenLDAP on Solaris 8, clients are on Solaris and Cygwin. I have used
GSSAPI implementation from Heimdal and MIT with equal success -
everything worked just perfectly!
Now for some odd reasons I have to build pure UNIX realm and to
establish one-way trust, where UNIX realm trusts AD, and users once
logged into the AD realm, should be able also to logged into the UNIX
I have tried both Heimdal 0.6.4 and MIT 1.4.1 as UNIX realm, and in both
cases I have the same result with OpenSSH:
1) assuming that AD realm is called A, and UNIX realm is called B,
client obtains TGT for realm A.
2) trying to ssh into realm B client gets ticket
3) client gets ticket host/whatsoever@B
and at this moment GSSAPI fails to establish context between client and
server SSH. SSH server writes in log "gssapi-with-mic failed" ...
Since both Heimdal and MIT behaves exactly in the same manner with
several versions of OpenSSH (from 3.8.1 to 4.0), and I have no problems
with AD and Heimdal/MIT if not trying them to trust each other, I am
absolutely sure that I've missed right documentation ...